Windows Vista spent a very long time in development and puts a new face on just about every feature found in the OS. The Windows firewall in Vista has been a part of this transformation, and includes a number of new features not found in previous versions of the technology. In this article, I'll spend some time discussing the enhancements found in Windows Vista's Firewall -- hereafter called Windows Firewall -- and will explain how to manage this feature.
Vista firewall enhancements
In Windows XP Service Pack 2, Microsoft shipped a vastly improved -- at the time -- client-based firewall solution. The Windows XP firewall in SP2 was enabled by default, which meant that computers were instantly granted better protection from attack. However, the firewall in XP SP2 was missing some key features that have been included in Windows Firewall.
Although there are more, there are two major improvements to the firewall that make it a very viable solution for Vista users:
- The Windows Firewall now includes application-aware outbound filtering, which provides directional control over all traffic to and from your computer and your user's computers.
- Microsoft has included an advanced management interface in order to allow administrators to very granularly apply rules to workstations. Further, the Windows Firewall can be managed from Group Policy, meaning that corporate IT can more easily enforce organizational computing policies that may ban specific activities, such as instant messaging or peer-to-peer file sharing.
Managing Windows Firewall
In Vista, Microsoft has provided two distinct interfaces to configure the Windows Firewall:
- Traditional or basic control panel method. This is a relatively simplistic firewall configuration tool for the Windows Firewall. It looks a lot like the Windows XP firewall management tool.
- Windows Firewall with Advanced Security settings applet. Intended more for the technically-inclined, this advanced interface provides very granular firewall configuration options.
You’ll learn about both interfaces in this article.
Using the Basic Control Panel interface
The first method, which you could consider the "traditional" or basic management method, will be familiar to anyone that has managed Windows Firewall since its introduction into Windows XP. In Vista, this management interface can be found at Start | Control Panel | Security | Windows Firewall by pressing the Change Settings button, but don't do that quite yet. If you're using the Control Panel’s classic view in your Vista installation, go to Start | Control Panel | Windows Firewall and, in a minute, choose the Change settings option. Figure A gives you a look at the initial Windows Firewall informational window.
|The Windows Firewall information window.|
This window provides you with some general information regarding Windows Firewall, such as whether the firewall is enabled, whether inbound connections are blocked, how firewall-related notifications are handled, and the location of your network. Windows Vista Firewall uses the network location parameter to determine appropriate firewall settings for your computer. I’ll talk more about the possible location settings later. To change your firewall settings, select the Change settings option. This option opens up the Windows Firewall Settings window. When you open this window, the General tab is selected, as shown in Figure B.
|The Windows Firewall Settings window with the General tab selected.|
On this screen are three options. The primary options, On and Off, simply enable and disable Windows Firewall. The checkbox in the middle of the screen, Block All Incoming Connections, is useful when you’ve taken your computer to a place, such as a public Wi-Fi hotspot, and you don’t want to allow any incoming connections at all to your computer. When you select this checkbox, even services that you have exempted from Windows Firewall are blocked, providing a high level of security in low-security environments.
The Exceptions tab, shown in Figure C, provides a way for you to exclude specific services or TCP/UDP ports from being subject to blocking by Windows Firewall.
|The Windows Firewall Settings window with the Exceptions tab selected.|
The main window on this tab displays a list of services that you can select to be exempted from the Windows Firewall. The machine in this screenshot is a brand-new Vista installation and shows you the services that are exempted as a part of the Vista installation. To allow a particular program or port access through the firewall, select the checkbox next to that service, and press OK.
If the program you want to add is not on the list, press the Add Program button at the bottom of the window. The Add A Program screen, shown in Figure D, pops up.
|Add a custom program to the list of exceptions.|
Select the desired program or, if your program is not listed, press the Browse button and point the Windows Firewall at the appropriate executable.
The Change Scope button located at the bottom of this page provides you with a way to limit from what computers the port or program can be used. This screen (Figure E) has three options:
- Any Computer (including those on the Internet): Allow traffic to this service to originate from anywhere.
- My Network (subnet) Only: Allow traffic to this service to originate from local computers only.
- Custom List: Provide an IP address and, optionally, a subnet range. Only computers included in the ranges specified will be allowed to access the service. IP addresses can be provided in either IPv4 or IPv6 format.
|The Change Scope window.|
Take a look now back at Figure C. Next to the Add Program button is a button labeled Add Port. Pressing this button results in the display of the window shown in Figure F, which allows you to add a firewall exception based on a TCP or UDP port number. On the Add Port page, provide a descriptive name for the port/service, the actual port number and indicate whether the exception is for a TCP port or for a UDP port. The downside here is that you have to provide each port individually, which can get rather tedious if you have a lot of ports to open.
|Add a TCP or UDP port exception.|
Again, you can use the Change Scope button to limit the origination point for traffic that uses this exception. The information is the same as that shown in Figure E.
Back on the Properties page for the Windows Firewall, take note of the Properties and Delete buttons. If you've added custom programs and ports to the list of services, use the Delete button to remove the entry if necessary. The Properties button provides you with a description of the selected service.
Finally, take note of the checkbox at the bottom of the Exceptions tab. The Notify Me When Windows Firewall Blocks A New Program checkbox makes Windows let you know when a new program or service tries to make its way through the firewall.
The last tab on the Windows Firewall Setting screen ostensibly provides some "advanced" configuration options. In reality, there's not much here. What is available is shown in Figure G.
|The Advanced Windows Firewall settings tab.|
The options on this tab are very self-evident, so I won’t bore you with the details.
At this point, you might be asked yourself a couple of questions:
- Where do I configure ICMP settings?
- Why didn’t I see any outbound firewall configuration rules?
This is where the advanced configuration interface comes into the picture.
Windows Firewall with Advanced Security
New in Windows Vista is a second interface, named Windows Firewall with Advanced Security. This interface is not for the typical home user, but is much more flexible and provides more savvy users with the ability to perform extremely granular Windows Firewall configuration tasks.
This advanced interface is accessible via a couple of different methods:
- Via the Control Panel: Start | Control Panel | Class View | Administrative Tools | Windows Firewall with Advanced Security.
- Or, follow these steps:
- Go to Start | All Programs | Accessories and choose Run.
- In the Run box, type MMC and press [Enter].
- In the Microsoft Management Console window, navigate to File | Add/Remove Snap-in.
- From the Add/Remove Snap-in dialog box, shown in Figure H, in the Available Snap-in pane, scroll down to Windows Firewall with Advanced Security.
- Press the Add button.
- When asked to select the computer that should be managed by this snap-in, select the Local Computer option and press Finish.
- Press OK. This will bring you back to the MMC.
- Press the down arrow next to Windows Firewall with Advanced Security. This expands the firewall configuration options and displays current firewall status. This screen is shown in Figure I.
|The MMC showing the Windows Firewall status.|
There are a ton of configuration options available from this main configuration window. I will go through the major points in this article. First, take note that the Overview section provides you with quite a bit of information related to the status of your Windows Firewall.
Windows Firewall with Advanced Security properties window
The first place to look is the properties window for the firewall accessible via the Properties link in the Actions pane. Note that, in Figure J, the Domain Profile tab is selected. Also note that the Public Profile and Private Profile tabs have the exact same options as the Domain Profile tab.
|The Properties page opens up with the Domain Profile tab selected.|
Before I continue, this is a good time to explain the difference in the various profiles:
- Domain Profile: The options included in this profile are enforced when the computer is connected to a corporate domain.
- Private Profile: The options included in this profile are enforced when the computer is connected to a private network.
- Public Profile: The options included in this profile are enforced when the computer is connected to a public network.
From any of the profile tabs, you can perform a number of tasks:
- Enable or disable the firewall by clicking the Firewall state button.
- Determine how inbound connections should be handled. Your choices are:
- Block (default): Block incoming traffic according to the firewall rules you have defined.
- Block all connections: Block all incoming traffic, regardless of firewall rules.
- Allow: Allow all incoming traffic to traverse the firewall.
- Determine how to handle outbound connections; your choices are to either allow or block. There is no option for blocking all.
- Customize the behavior of the Windows Firewall by pressing the Customize button next to Settings.
- Determine how much logging should take place by pressing the Customize button next to Logging.
The screen shown below in Figure K is what you see when you press the Customize button in the Settings section of the Properties page. On this screen, decide how you want to handle firewall notifications and whether unicast responses to multicast/broadcast traffic are allowed.
|Customize Settings for the selected profile.|
If you want to modify logging options, click the Customize button at the bottom of the window. You'll get a window like the one in Figure L.
|Customize logging settings for the selected profile.|
From this window, use the Browse button to select the path and filename for the firewall log file. Also specify the maximum log file size and indicate whether or not you want to log dropped packets and/or successful connections. If you log too much information, your log file may get unwieldy.
Back on the Properties page, the only tab that is different from the others is the IPsec Settings tab, which is displayed in Figure M.
|The IPsec Settings tab.|
There's not much on this screen. From here, you can call up the more substantial IPsec configuration window, shown below in Figure N. You can also choose to exclude ICMP packets from IPsec. Doing so can simplify your network troubleshooting efforts since it takes the IPsec layer out of the equation.
|Further customize your firewall’s IPsec settings.|
The options shown in Figure N are the real meat behind your IPsec configuration. From here, you can configure your key exchange mode, data protection mode, and authentication method. Note that each option included a "Default" selection as well as other options from which to choose. Each option also includes an "Advanced" selection. When you choose one of the Advanced selections, the associated Customize button is enabled. The options found when you press one of the Customize buttons allow extremely granular IPsec configurations. Each of the Advanced option windows are shown below in Figures O, P and Q.
|Advanced IPsec key exchange options available in Windows Firewall.|
|Advanced IPsec data protection options.|
|Advanced authentication methods window along with other authentication options.|
Other Windows Firewall configuration settings
Now that you have seen the Windows Firewall properties pages, let's take a look at some of the other user interface elements. Take a look back at Figure I. I'll start with the options at the left-hand side of the main configuration window:
- Inbound Rules: Allows you to set rules that affect how inbound traffic is to be handled by Windows Firewall.
- Outbound Rules: Allows you to set rules that affect how outbound traffic is to be handled by Windows Firewall.
- Connection Security Rules: Uses IPsec to secure traffic between the computer running Windows Firewall and another computer running Windows Firewall or using a compatible IPsec policy. I won’t be talking too much about these kinds of rules in this article.
- Monitoring: The monitoring options provide you with a way to find out what your firewall is doing. I won’t be talking too much about monitoring in this article.
The Windows Firewall has always had the capability to block incoming traffic. However, with the advanced configuration view, Windows Firewall has become much more flexible for people that know how to configure the services. Figure R gives you a look at the Inbound Rules part of the firewall management interface.
|Windows Firewall inbound rules list.|
Note that each rule listed in the middle of the window has either a gray or a green checkmark next to the rule. A green checkmark indicates that the rule is enabled, while a gray checkmark signifies that the rule is defined, but is not enabled. To enable or disable an existing rule, right-click the rule and choose either Enable Rule or Disable Rule.
There are a significant number of inbound rules available for you to use in Windows Firewall. Note that each individual rule shown in Figure J manages just a single aspect of the service. For example, there are a number of rules that start with the name "Core Networking." Each rule manages a very specific program or protocol; for example, one rule might only allow incoming SMTP connections over TCP port 25. All of the Core Networking rules are enabled since, without some of them, your computer would probably not function effectively. If you want to seriously harden your Vista workstation, you can disable some of the rules, though. Many of the rules are transport protocol version specific. That is, some rules are for IPv4 or IPv6 specifically, but not for both simultaneously. If you are not using IPv6 on your network, you can disable the IPv6-targeted rules.
The Outbound Rules option looks just like the Inbound Rules screen shows in Figure J, and works the same way. We’ll take a look at creating new rules soon.
Creating New Rules
The Windows Firewall gives you the ability to create inbound and outbound rules on a number of criteria, including managing access by a specific program or managing access based TCP or UDP port. To add a new rule, select either Inbound Rules or Outbound Rules (depending on what you need), and then select the New Rule option in the MMC. This starts a wizard that walks you through the rule creation process.
The first screen of the wizard, shown in Figure S, asks that you decide what kind of rule you want to create. For this example, I’ll create a custom rule in order to demonstrate the widest possibilities.
|Choose the type of rule you wish to create.|
On the wizard’s second page, select the programs and services that should be restricted by the new rule. You can choose to have the new rule apply to all programs and services that are run (meaning that the rule just looks for general connections and not for connections for specific programs or services), or to only a specific program or service.
Figure T shows you how you can restrict the rule to a specific program. If you want to restrict the rule to a specific service, press the Customize button. The screen shown in Figure U shows that you can apply the rule to all programs and services, to just services, to a service that you choose from a list, or to a service whose short name you type into the dialog box at the bottom of the window.
|What programs and services should be restricted by this rule?|
|Which services should be covered by the rule?|
For my example, I'm applying the new rule to all programs and services.
Page three of the wizard, shown in Figure V, asks that you provide protocols and ports that should apply to this rule.
|Which protocols and ports should be handled by the rule?|
This screen requests the information in the following sections.
The allowed protocol types are as follows:
- HOPOPT (IPv6 Hop-by-Hop Option)
The Local port option is available only if you select TCP or UDP for the protocol type. A local port is a port on the computer running the Windows Firewall.
The allowed options for Local port are:
- All ports
- Specific ports
- Dynamic RPC
- RPC Endpoint Mapper
- Edge Traversal
The Remote port option is available only if you select TCP or UDP for the protocol type. A remote port is a port on a computer that is trying to communicate with your local computer.
For remote port, you can use either All Ports or Specific Ports.
Internet Control Message Protocol (ICMP) settings
If you selected one of the ICMP options under Protocol type, the Customize button next to this option becomes available. Pressing this button opens the Customize ICMP Settings window shown in Figure W. On this screen, you can choose to apply the rule to all ICMP types, or to just specific ICMP types.
|The Customize ICMP Settings window.|
The next page of the wizard, shown in Figure X, asks you for the local and remote IP addresses (scope) for the new rule. The scope can be applied to both inbound and outbound traffic rules, thus applying the rule to any traffic that meets the scope criteria as well as other rule details.
|What IP addresses will this rule match?|
Once you've defined the parameters under which a rule will take effect, you need to decide what to do in the event of a match. As shown in Figure Y, you have three options:
- Allow The Connection, regardless of whether or not IPsec is enabled for the connection.
- Allow The Connection Only If It Is Secured By IPsec. You can also choose sub-options here for additional security. If you select this action, you must also indicate which users or computers can initiate trusted connections.
- Block The Connection.
|What action should be taken when there is a match?|
I'm not going to show screens for the last two wizard pages. The second to last page, Profile, asks that you select to which profile -- domain, private or public -- the new rule will be applied. The last screen of the wizard asks that you name the new rule and, optionally, provide a detailed description.
When you’re done creating your new rule, it will appear in the list of rules on the main firewall configuration window.
There’s no doubt that Windows Firewall, from a capability perspective, can run with the big boys when it comes to client-level protection. However, there are two points worth mentioning that make Vista’s new firewall less than ideal:
- Outbound monitoring is not enabled by default: This means that users may be under the false assumption that their computers are "better protected" than they were under XP.
- A seriously complex advanced management interface: The average home user is simply not going to be able to manage this service. Sure, a home user will have less trouble with the basic interface, but the basic interface does not provide a way to enable outbound monitoring, nor does it provide any of the granular management features found in the advanced counterpart. Until Microsoft can significantly simplify the advanced firewall interface, home users will not be able to enjoy the new technical functionality included in the firewall.
A major upgrade
The firewall included in Windows Vista is a far cry from Microsoft’s earlier efforts to create a robust firewall. With its bidirectional protection capabilities, super-granular management options, and wide-reaching configuration parameters, it’s also not for the uninitiated.